Exploiting, Abusing, and Securing the FrontPage Server Extensions on Windows Server 2003

1. FrontPage: 2003

Exploiting, Abusing, and Securing the FrontPage
Server Extensions on Windows Server 2003
Mark Burnett

2.

FrontPage: 2003
Exploiting, Abusing, and Securing the FrontPage
Server Extensions on Windows Server 2003
Mark Burnett

3. Background

History of the FPSE
Different names, same old holes
What products include FPSE?

4. Risks

Are the FPSE as insecure as
everyone says?
What are the real risks?
–
–
–
–
–
–
Increased attack surface
Entry point
Information gathering
Running on system partition
Insufficient logging
Storing files within the web root

5. Risks

What are some greater risks?
– Confusing security model
– Running in-process with
inetinfo.exe
– Relaxed NTFS permissions
– Cannot be secured without NTFS

6. The FPSE Files

The same files?
– _vti_bin/shtml.dll
– _vti_bin/_vti_aut/author.dll
– _vti_bin/_vti_adm/admin.dll
FPSE 2002
– _vti_bin/owssvr.dll
– _vti_bin/_vti_adm/fpadmdll.dll

7. FPSE Directories

_vti_bin – FPSE Binaries
_private _vti_cnf
_vti_pvt
_vti_script
_vti_txt

8. Decoding vti_rpc

Sending vti_rpc methods
– POST to FPSE binaries
– GET to owssvr.dll
– Multiple posts using CAML
Interpreting output

9. Sample Output

• <html><head><title>vermeer RPC
packet</title></head>
• <body>
• <p>method=list services:4.0.2.0
• <p>services_list=
• <ul>
• <li>SR|msiis
• <li>vti_usagevisitsbyweek
• <li>UX|337 380 423 501 297
• <li>vti_usagebymonth
• <li>UX|88 4195 2667 3497 90
• <li>vti_welcomenames
• <li>VX|Default.htm Default.asp
Default.aspx
• <li>vti_adminurl
• <li>SR|/_vti_bin/_vti_adm/fpadmdll.dll

10. Cool vti_rpc Tricks

Finding unprotected web sites
Listing webs
Other info gathering
method=list+services:4.0.2.0000&service_name=

11. vti_rpc Exploits

New exploits to be announced

12. Other Exploits

New exploits to be announced

13. Updating the FPSE

Finding product updates
Confusing and inconsistent
Manual fixes

14. Manual Fixes

Htimage.exe and Imagemap.exe
– Microsoft’s solution
– Another Microsoft solution
– The real solution?

15. The Security Model

Browse, Author, and Administer
NTFS Permissions on web root
Common Mistakes

16. Installing & Uninstalling

Installing &
Uninstalling
Why are the directories there on
a clean install?
Why won’t they uninstall?
How do you remove them?

17. Moving the FPSE

1. Move the binaries
2. Update the registry
3. Update the metabase

18. Securing the FPSE

The FPSE can be used safely if you:
Secure user accounts
Set proper NTFS permissions
Set proper IIS permissions
Configure the registry defaults
Keep patched
Use SSL for authoring
Manage log files
Set IP Restrictions

19. Advanced Techniques

Mirror sites
URLScan Rules
Custom ISAPI filter
FPSE neutered
NTFS restrictions
Remove directories
Disable authoring

20. FPSE Intrusions

Spotting attacks
Log entries
Other trails
FPSE vs. WebDAV

21. Snort Rules

Updated Snort rules
Logging FPSE authoring with
Snort

22. FrontPage Tools

Xfp.pl – FrontPage security
scanner
Fpseinfo.pl – FrontPage info
gathering
SecureFPSE.cmd – Harden
FrontPage Server Extensions
fpBlock – ISAPI filter for
FrontPage IP restrictions

23. Xfp.pl

24. Fpseinfo.pl

Returns FPSE information
- Web server platform
- Anonymous user account
- Site statistics
- Hidden directories
- More

25. SecureFPSE.cmd

Removes htimage.exe and
imagemap.exe
Moves binaries
Registers components in new
lcoation
Updates metabase
Updates registry